smp.cat Ransomware Attack by Safepay (May 2026)

Claim Summary

The ransomware group known as Safepay has allegedly claimed responsibility for a cyberattack against smp.cat, a private healthcare organization based in Catalonia, Spain. According to the group’s leak site, the attack occurred on May 6, 2026. The group claims to have exfiltrated data from the organization, which operates in the Hospitals & Physicians Clinics sector and was founded in 1993. The volume of data allegedly stolen has not been disclosed. This information has not been independently verified by Yazoul Security.

Threat Actor Profile

Safepay is a ransomware group with an unknown total number of confirmed victims. Public research on this group is scarce, making it difficult to assess their operational maturity or credibility. Based on available intelligence, the group has been observed using a specific set of tools and tactics, including:

• Discovery: Invoke-ShareFinder for network share enumeration.
• Archiving: 7-Zip and WinRAR for compressing stolen data.
• Lateral Movement: CMSTPLUA, dllhost.exe, and Regsvr32.exe for executing code and bypassing User Account Control (UAC).

These tools suggest a focus on data exfiltration prior to encryption, a common tactic among modern ransomware groups. However, without a known track record of successful attacks or verified leaks, Safepay’s credibility remains low. Ransomware groups often exaggerate or fabricate claims to pressure victims into paying ransoms. No YARA rules or specific detection guidance for Safepay is currently available.

Alleged Data Exposure

Safepay claims to have stolen data from smp.cat, but the specific types of data allegedly compromised have not been detailed. Given smp.cat’s role as a healthcare provider, potential data types could include:

• Patient medical records and treatment histories.
• Personally identifiable information (PII) such as names, addresses, and contact details.
• Financial information, including billing and insurance data.
• Internal operational documents and employee records.

The lack of a data sample or detailed description on the leak site raises suspicions about the validity of the claim. Healthcare data is highly sensitive and valuable, making it a prime target for ransomware groups, but the absence of evidence weakens Safepay’s assertion.

Potential Impact

If the claim is verified, the impact on smp.cat could be severe. A data breach in the healthcare sector can lead to:

• Regulatory Penalties: Potential fines under GDPR and Spanish data protection laws for exposing patient data.
• Operational Disruption: Ransomware encryption could disrupt medical services, patient care, and administrative functions.
• Reputational Damage: Loss of trust among patients and partners, potentially leading to a decline in business.
• Legal Liability: Class-action lawsuits from affected individuals whose data was exposed.

However, without confirmation, these impacts remain speculative. smp.cat has not publicly commented on the alleged incident.

What to Watch For

Yazoul Security recommends monitoring the following:

• Official Statements: Watch for any confirmation or denial from smp.cat regarding the alleged breach.
• Leak Site Activity: Check if Safepay releases samples or additional details to validate their claim.
• Dark Web Chatter: Look for discussions about the data being sold or shared on underground forums.
• Regulatory Notifications: Monitor for any breach notifications filed with Spanish or EU data protection authorities.

For more intelligence on ransomware threats, visit Yazoul Security’s threat intelligence page at /intel/.

Disclaimer

This report is based on unverified claims made by the Safepay ransomware group on their leak site. Yazoul Security has not independently confirmed the attack, the data theft, or the identity of the victim. Ransomware groups frequently exaggerate or fabricate claims to pressure victims. Readers should treat this information with caution and await official confirmation from smp.cat or relevant authorities. No PII, download links, or access credentials are included in this report.